IE10 There is a problem with this website's security certificate. RRS feed

  • Question

  • I have seen lots of posts but no answers.

    I have Windows 8 Pro RTM installed from MSDN. I am running IE10 and I go to my Linksys router and get the usual certificate error. In all previous versions of IE, you could just click continue and move forward. IE10 does not all this, please let me know where this setting is so I can use IE10, I hope I am not forced to use Chrome. Also there is no option to run as IE9 for some reason.

    Monday, September 3, 2012 1:33 PM


  • As a quick update, in my case, this appears to be due to the insistence on certificates with 1024-bit key length.

    I used the info in http://support.microsoft.com/kb/2661254 to bypass this.

    Specifically, I needed to do

    certutil -setreg chain\minRSAPubKeyBitLength 512

    From an admin command prompt.

    Hope this helps someone else.

    Thursday, September 27, 2012 12:14 PM

All replies

  • Does this occur if you use another brand/version router?

    check for firmware updates for your router.


    Monday, September 3, 2012 7:31 PM
  • I hear you, I am experiencing same issue with internal sites (equipment). Microsoft, please give me the option of doing my work without having to switch to Firefox or Chrome.

    Tuesday, September 4, 2012 4:10 AM
  • Hi,

    I am not able to reproduce the issue in IE10.

    Have you tried to access the web by using https instead of http? In addition, does the issue occurs on Desktop IE10 and Metro IE10 also?

    Kim Zhou

    TechNet Community Support

    Tuesday, September 4, 2012 6:12 AM
  • I only have one brand to test. It works fine in IE9. I will have to check on firmware for my access point.
    Tuesday, September 4, 2012 1:05 PM
  • In desktop IE10, I do not get a continue link. If metro IE10 I do get a continue link however it crashes once I click on it.

    http or https does not matter, same error.

    Works fine on XP and W7 all browser versions of IE.

    Problems WAP4400N using latest firmware 1.2.19.

    Sunday, September 9, 2012 8:26 PM
  • Hi,

    You may reset IE settings for a test. In addition, you can temporarily disable the third party add-ons for IE.

    Kim Zhou

    TechNet Community Support

    • Marked as answer by Kim Zhou Wednesday, September 19, 2012 12:35 AM
    • Unmarked as answer by MyWarHistoryDotCom Wednesday, September 19, 2012 11:35 AM
    Monday, September 10, 2012 1:49 AM
  • Are you serious?  I have a local internal website that I have used for years, now with Windows 8 and IE 10 I don't have the option of continuing.  Why does Microsoft feel need to protect me from myself, I am the freaking administrator, I should always be allowed to over rule stupid IE. 

    Tuesday, September 18, 2012 5:31 AM
  • I am the freaking administrator, I should always be allowed to over rule stupid IE. 

    Try using  iexplore.exe   Run as administrator...   then.


    Tuesday, September 18, 2012 4:03 PM
  • Running as administrator does not fix the issue, it still does not work.
    Wednesday, September 19, 2012 11:36 AM
  • Did anyone figure this out, I am having the same issues on an internal dev site we don't install the certificates, how can I bypass the certificate check?
    Tuesday, September 25, 2012 9:12 PM
  • Yup exactly the same issue here.

    When I first get to the page, I do get the option to continue. If I then click that, I get the same page but without the continue option, even though the URL is unchanged.

    This is when connecting to the Oracle Enterprise Manager that is using an internal certificate.

    Thursday, September 27, 2012 11:45 AM
  • How do you disable third part add-ons? This is Windows 8 and everything is impossible without the start bar. I cannot find the run without add-ons nore the 32 or 64 bit versions. 

    PS: Microsoft, everyone will revolt when the public finds out you took away the best feature of windows 7. Also why must you make it impossible to find how to logoff, restart or shutdown the computer. This is going to be Vista all over again even though the OS is stable.

    Thursday, September 27, 2012 11:53 AM
  • As a quick update, in my case, this appears to be due to the insistence on certificates with 1024-bit key length.

    I used the info in http://support.microsoft.com/kb/2661254 to bypass this.

    Specifically, I needed to do

    certutil -setreg chain\minRSAPubKeyBitLength 512

    From an admin command prompt.

    Hope this helps someone else.

    Thursday, September 27, 2012 12:14 PM
  • Carl_W the issue is with IE10, not creating certificates.

    Micorosft, please respond as it is required per MSDN.

    Thursday, September 27, 2012 3:29 PM
  • Yes, the issue is with the fact that IE10, and more importantly KB2661254 now requires that certificates have a minimum key length of 1024-bits.

    Nothing that I have posted has anything to do with creating certificates, I have simply provided a workaround for the issue that you are having.

    I was having an issue with exactly the same symptoms of yours and the workaround enabled me to click 'Continue to the website' and get on with my job.

    In particular, in the article I linked to:

    After the update is applied:
    • A restart is required.
    • A certification authority (CA) cannot issue RSA certificates that have a key length of less than 1024 bits.
    • CA service (certsvc) cannot start when the CA is using an RSA certificate that has a key length of less than 1024 bits.
    • Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.

    As item 4 states, if your Linksys router is using a certificate with a key length of less than 1024 bits, Internet Explorer will not allow access to it.

    I'm also pretty sure that there is no requirement for Microsoft to respond here, if you want them to then you should be raising it as a support incident.

    • Proposed as answer by [Optimus7] Friday, October 19, 2012 8:38 PM
    • Unproposed as answer by MyWarHistoryDotCom Monday, October 22, 2012 12:53 PM
    • Proposed as answer by Mike Pepper Thursday, November 29, 2012 7:21 PM
    • Unproposed as answer by MyWarHistoryDotCom Sunday, December 2, 2012 7:23 PM
    Thursday, September 27, 2012 3:42 PM
  • Many thanks Carl W! Your advice helped for me.

    I had the same problem with https and desktop IE 9.0.10 (KB2744842) on W7 with reset Internet options and no third party add-ons for IE. Running IE as administrator, when clicking on the "Continue to this website (not recommended).", the error page was reloaded and I couldn't enter my router's UI. I never had this problem before installing MS12-063: Cumulative Security Update for Internet Explorer: September 21, 2012

    • Edited by puding Saturday, October 13, 2012 1:49 PM
    Saturday, October 13, 2012 12:36 PM
  • Thanks a lot, Carl W. Fixed the issue here as well..
    Friday, October 19, 2012 8:38 PM
  • MWHDC,

    Carl_W's solution works.  Fixes the problem. 

    Try it. If it doesn't work, then object.

    Thursday, November 29, 2012 7:23 PM
  • As Carl_W states, just run this line "certutil -setreg chain\minRSAPubKeyBitLength 512" from command prompt. There is nothing to download or install. Browser should work after that.

    Not sure why Windows 8 is such a pain to do anything.

    Sunday, December 2, 2012 7:25 PM
  • Not sure why Windows 8 is such a pain...

    Those of you just blindly applying this command should really try to get your heads around why Carl_W's workaround is NOT a fix at all, and why Microsoft is not making the software (in this case at least) a "pain" for unfounded reasons.

    Follow the link that Carl posted and read about why it is that the software now requires a much longer minimum key length.


    The general idea is that at one time, not so long ago, computers weren't nearly as powerful as they are today, and it was practically impossible to crack security with a key length of 512 bits.  Computers (and notably GPUs) got hugely faster and lo and behold now just about anyone can afford a system that can derive the private key for a 512 bit public key in just a short amount of time.

    That which was once considered strong security protection is now rendered weak.

    Would you rather Microsoft make it convenient for someone to, say, spoof your bank's web site and create a web page that would grab up your account information when you log in?

    I didn't think so.

    To really fix the problem, if your little router or old internal server has an invalid security certificate with a short key, you should figure out what it is going to take to make it valid, rather than opening your entire browsing experience up to a security risk.   Actually, you should have done it before, when all you had to do was click the "Continue to the web site... (not recommended)" link.

    The certutil command above is not unlike your spouse saying "honey, I locked myself out of the car" and you deciding the fix is to just not lock the doors.



    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Tuesday, December 4, 2012 2:48 AM
  • certutil -setreg chain\minRSAPubKeyBitLength 1024 sets it back as MS intended. Run it with 512, log in, run it with 1024. Easy Peezy.
    Friday, February 22, 2013 5:42 AM
  • The issue is that Microsoft soldered the door instead of improving the lock. I agree with their decision, but not with their execution. An approach like the "program compatibility assistant" informs better the end user what happened and don't makes them waste their time researching "what is wrong".
    Thursday, March 7, 2013 6:17 PM
  • Stop side tracking and just do as Carl says. This fix will give you the opportunity to "Continue", exactly as in the old IE9 days.

    Thanks for providing the fix Carl.

    Friday, March 15, 2013 8:18 AM
  • I have a user currently experiencing this problem. Odd thing is that it seems to be selective... Their is a training portal they access online. When they access the online portal they get the old "Unable to open due to security" but are able to click on the "continue anyway" option. Once in they launch their particular training session and the same "Unable to open due to security" pops up again, only this time once we click on "contiue anyway" that option dissapears and we're left with the only option to close the window...

    Windows 7 SP1 and IE 10

    I followed the workaround but it still doesn't work. Any help or ideas would be appreciated!

    Friday, April 12, 2013 7:35 PM
  • That is not a satisfactory answer.

    I would expect IE10 to allow me to open whatever I say, when I say. Especially if it's in my trusted zone. It is NOT Microsoft's business to deny me access to a page.

    IE is supposed to navigate and open websites, as commanded by the user.

    Tuesday, April 16, 2013 1:48 PM
  • What appears to work for me with IE10 is, select Run as Administrator for IE (as suggested in one of the posts above), then the "continue anyway" option re-appeared.

    Then I made the Site a TRUSTED SITE in IE

    After doing that, I installed for the Certificate for the site (after entering the site, click RED bar saying issue with SSL and select INSTALL Certificate).

    After completing that, I closed IE and reopened in std mode (not run as Administrator mode) and then I could get to the site without any issues (and no SSL error messages)

    Only recommended for Internal and Trusted sites.

    • Edited by kj_f1 Friday, June 28, 2013 11:33 AM corrected wording
    Friday, June 28, 2013 11:33 AM
  • I'd hate to state the obvious but from experience in tech support 90% of certificate errors are down to date and time being set wrong on the computer. The only time that resetting the time/date has not fixed the issue was because the person calling was running the computer on a domain.

    Note incorrect date/time can cause certificate errors on all versions of IE.

    IMO IE10 is not the problem, the problem is sites being run on outdated code and complaining about IE will resolve nothing.

    Microsoft will keep developing new browsers especially when a new version of Windows is released compatability mode is a potential way of dealing with outdated sites. In situations where this does not work or you don't want to keep fighting with new versions of IE then use a 3rd party browser which is no great hardship (I am running a choice of 5 browsers on my Win 8 PC).

    Thursday, July 11, 2013 11:45 PM
  • This does not work as I don't get to "continue anyway". I have made the site TRUSTED as you did, but still no go.

    I did not install the certificate as I don't know where to get it from.

    Sunday, July 28, 2013 3:31 AM
  • This does not resolve the problem for me.

    In fact, I cannot get any browser to access my Linksys router: Safari, IE10, Google Chrome, Firefox.

    I am using Win 7 Home Premium 64-bit.

    Interestingly, the other day I setup a persons PC with an upgraded Win7 32-bit (from Vista) and in IE10 I got the "continue anyway" prompt and was able to access my Linksys router (M20) without doing anything fancy.

    Microsoft does need to fix this as all I should have to do is enter a specific website or IP address in Security/Local Intranet or MS should provide a setting which says disable certificate checks for this list of specific sites. That way my browser handles all unknown sites properly but lets me get around certificate errors for sites that I know are secure.

    Changing the certificate length to 512 bytes for all sites is a VERY BAD suggestion!!!

    • Edited by Mike Bluett Sunday, July 28, 2013 3:57 AM Added Cert length proviso
    Sunday, July 28, 2013 3:54 AM
  • Carl's fix works.

    Its not up to Microsoft to decide this for me.  Disabling all the IE security settings and adding trusted also did not work.

    I have not agreed with Microsoft that the key length for personal development sites needs to be extended to the point where the absolutely refuse access.  That's not their risk to decide on and we are not Microsoft employees, here to swallow whatever they want to feed us :P.  They changed their standard to be out of alignment with reality's standards and chose to make this difficult on people.  They should expect this type of response.  And they do (that's why they haven't bothered to hop on this thread)

    Monday, August 12, 2013 2:01 AM
  • Using IE 10, Windows 7 SP1 and I cannot connect to a development website with a 1024 bit self-signed certificate.

    I do not get the option to continue and running IE as an admin does not work nor does changing the minimum certificate length to 512 bytes.

    Any body have any other suggestions?

    Wednesday, September 4, 2013 12:19 PM
  • You are the man!

    Big help this morning.


    Friday, September 20, 2013 2:47 PM
  • Actually it's like not giving me the option to disable the lock on my kids bedroom door....

    We have a bunch of brand new gear which needs a web-based connection to be configured. Want to tell my how this security feature is a plus to me when I can't get into it to configure it with a cross-over cable on a laptop not hooked into anything else?

    I'm into the security thing but please don't try to sell me a lock for my toilet seat -- I need one for my front door, yes, but not something I need to access in a hurry and don't care if it's broken into!

    • Proposed as answer by Btgreen1 Thursday, November 21, 2013 3:20 PM
    • Unproposed as answer by Btgreen1 Thursday, November 21, 2013 3:20 PM
    Thursday, November 7, 2013 9:02 PM
  • I reproduced this issue with a Windows 7 pc running IE10.

    Pinning a website to the taskbar, opening the site, then going to the site with the invalid cert. does the same thing.

    If I open IE from 'All Programs', I get the bypass prompt. (the site I am going to has a 1024 key length expired cert) 

    Don't know how this relates to a Windows 8 PC, but maybe it will help.

    • Proposed as answer by Btgreen1 Thursday, November 21, 2013 3:31 PM
    • Unproposed as answer by MyWarHistoryDotCom Thursday, November 21, 2013 3:35 PM
    Thursday, November 21, 2013 3:21 PM
  • All browsers with be effected after December 31st 2013.

    certificates expiring in 2014 or later need to replace and  upgrade all certificates less than 2048-bit key length with 2048-bit RSA/DSA or 256-bit ECC certificates by October 1, 2013. All existing certificates less than 2048-bit key length should be revoked sometime after October 1 but before 12/31/2013. This is in compliance with NIST Special Publication 800-131A

    Friday, December 6, 2013 4:38 PM
  • sounds great except for the fact that I can't access the devices to upgrade the certificates!
    • Proposed as answer by Andy Barzyk Monday, December 23, 2013 2:55 PM
    • Unproposed as answer by Andy Barzyk Monday, December 23, 2013 2:55 PM
    Monday, December 23, 2013 2:49 PM
  • BTW: I finally gave up and purchased a Mac for device configs. Since it runs Unix it's actually better than a windows machine. That's disappointing when considering the fact that I've used the Wintel platform since DOS 2.x. I've defending Windows all through my undergrad and MS in Computer Science from people who are anti-Microsoft and even I can't defend this.
    Monday, December 23, 2013 2:59 PM
  • Thanks, helped me on IE11 as well. Followed the instructions from KB2661254 from Carl and it gave me the option now for Oracle EM (web): "Continue to this website (not recommended)". Now I can log into Oracle Enterprise Manager!
    • Edited by RayN5150 Tuesday, December 31, 2013 4:25 PM
    Tuesday, December 31, 2013 4:24 PM
  • In case someone else has this problem the solution presented here worked for me in accessing my Linksys WRT320N UI using IE11 on a PC with Windows 8.1 Enterprise eval. 64bit . With Firefox there was no problem.

    Just open a cmd as Administrator and:

    C:\Windows\system32>certutil -setreg chain\minRSAPubKeyBitLength 512
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCre

    New Value:
      minRSAPubKeyBitLength REG_DWORD = 200 (512)
    CertUtil: -setreg command completed successfully.
    The CertSvc service may need to be restarted for changes to take effect.

    • Edited by LuísSousa Sunday, January 5, 2014 3:59 PM
    Sunday, January 5, 2014 3:56 PM
  • I respectfully suggest that if you're considering taking the advice to lower your system's key length requirement with certutil that you go up and read my post in this thread as of December 04, 2012 so you get a better understanding of what it is you're changing.  Security is not something to be taken lightly, nor can you always fix things after a breach.



    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Sunday, January 5, 2014 5:38 PM
  • I respectfully suggest that Microsoft takes into consideration users without internet connection/old router and allows option where I can chose if I want to go and configure router. Because if I have computer without internet access and connected only to router then I can't even configure/update it. And when other browser makers make same decision because of security then what do I do? Take router to manufacturer so they can configure it?
    Tuesday, January 14, 2014 11:50 AM
  • I also concur that Microsoft is going about this the wrong way.

    I also had this same issue, W7 & IE10, could NOT continue to my INTERNAL MANAGEMENT server because of this error.

    So, I did the same fix with the cmd prompt and lowered mine to 512. Then I had to change IE setting to "View all site in Compatibility View" and I was able to get to the site.

    However, now that I have done that, IE10 is now giving me problems where I DID NOT have an issue before. Trying to go to another INTERNAL web interface...Replay Appassure, and guess what...IE10 now has issues with this. So then I have to go back into the settings and tell it NOT to use Compatibility View.

    Here is another example: I have an APC UPS for my ESXi Host. there are two web interfaces to manage said product. On the one web interface that configures PCNS vMA, if I DO NOT have compatibility checked, I can not get to the page as it throws out a bunch of java crap errors. So I enable Compatibility and I can then manage the device. Then I need to go to the second interface for setting specifics for the behavior, and guess what, on this page Compatibility view does NOT work. So I then have to go back in yet again, to turn OFF this setting.

    MS actually thinks I don't mind bouncing around like this. What a bunch of terds.

    Between MS and Java, the world is coming to and end sooner than later and I am totally fed up with both of these companies. No one breaks stuff faster or better than MS and Java. Take a bow.

    Really sad that Microsoft wants us to use their products in our domains, but you cannot use there browser to manage any web interfaces without jumping through yet another field of land mines.

    Best suggestion.....UNINSTALL IE FOREVER

    Firefox and Chrome DO NOT HAVE THIS ISSUE...Take a HINT!!

    More MS Frustration sets in yet again.

    Wednesday, February 12, 2014 5:02 PM
  • Yes, I'd like it to make it very convenient for any damn person to do anything they want to do; record it ALL, every activity on earth.

    Screw security.

    Thursday, March 6, 2014 10:07 AM
  • Screw laws rules standards specifications and most particularly security.
    Thursday, March 6, 2014 10:08 AM
  • Screw laws rules standards specifications and most particularly security.



    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Thursday, March 6, 2014 7:20 PM
  • I'm using Windows 8 and Explorer 10

    The solution may be as simple as looking on your control panel for the newest programs that were loaded most recently on the same day and deleting them.  About four days ago my browser started posting an invalid certificate on every web page.  Yes even the good owes like Google, Yahoo, AOL... etc.  No matter what web page I went to, the invalid certificate warned me of the web page.  Windows defender missed them in the scan.  When you look at this issuer of the certificate it says DO_NOT_TRUST_FiddlerRoot.  There we about four or five programs that were installed on the same day.  Once of them was named Browser Safeguard and it was installed on the same day as the other four programs so I deleted it too then rebooted.  I also went to:

    Internet Explorer/Internet Options/Connections/Local Area Network (LAN) Settings  and uncheck the Proxy Server box.

    No more problems with invalid certificates.

    Les Draper

    Little Rock AR

    • Edited by Les Draper Tuesday, March 25, 2014 7:11 PM
    • Proposed as answer by Les Draper Tuesday, March 25, 2014 7:12 PM
    • Unproposed as answer by MyWarHistoryDotCom Tuesday, March 25, 2014 7:14 PM
    Tuesday, March 25, 2014 7:11 PM
  • Screw laws rules standards specifications and most particularly security.

    Great answer from a guy who's profile says he does other peoples taxes for a living.  Classssy.

    Same issue here, Win7, IE10, all updates current to the date of this post.  Ran the change as suggested above, including reboot.  Current workaround is Firefox.  Please advise.

    Tuesday, May 20, 2014 2:23 PM
  • This worked for me. Thanks!
    Tuesday, June 3, 2014 4:02 PM
  • Carl - excellent advice, that worked for me. I now have the option to continue. As to why MS thought is was a good idea to remove that, who knows why they choose to frustrate their user base. They could have had an Option in the Security tab or something more easily configurable. Like you I am the admin that setup the server and it's an internal server. They just seem to be a bit myopic at times.

    Thanks again for the excellent fix!


    Thursday, August 14, 2014 5:10 PM
  • Noel - I am well aware of the security reasons as to why you would want your RSA keys to have more bits. But the fact is all that Carl's "fix" does is allow me to choose to "Continue at my own risk". I'm a big boy and I know when the web site I am hitting is an internal server and I can safely continue. I setup the server and it's using a self-signed cert. There is no reason for me to have to spend money each year to renew a cert that is only used internally.

    The fact that Microsoft chose to enforce a setting that is going to cause many people problems with older equipment and or some web sites is the real problem. They are way too myopic and premature in forcing that restriction on everyone. What a pain it must be for people to all of a sudden not be able to connect to their router. It's highly unlikely they can upgrade the router, and why should they have to.

    Maybe a few more years down the road might be better timing. Like Windows 8, Microsoft seems to have little regard for the level of frustration it may cause some people to endure.

    I think having the warning is a good thing, people just need to be very discriminating when choosing to continue, but not be shut out entirely. At least not at this point, but your points are well taken.

    Thursday, August 14, 2014 6:02 PM
  • Just to add for anyone who, like me, comes to this discussion whilst researching the registry entry.  I've just found that we had to use a different entry for a handful of Windows 2003 64 bit machines, as the one in KB 2661254 doesn't work.

    The alternative I had to use is:-

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\Encoding Type 0\CertDllCreateCertificateChainEngine\Config     MinRsaPubKeyBitLength   DWORD  512

    NB.  I've searched google and bing and found no reference to this, but it sorted our issue.

    Monday, October 20, 2014 10:09 AM
  • By reducing the certificate requirements of the browser like this you can now connect to the Linksys web GUI with its much shorter bit key length certificate - this of course opens your browser up to a security vulnerability so choose wisely where you decide to lower your guard - for me I have an obscure vm that is rarely used and only for administrative uses; I can do this on that vm and have little security risk.

    Dale Unroe

    • Edited by Dale DU-IT Monday, January 25, 2016 9:51 PM
    Monday, January 25, 2016 9:49 PM
  • Carl's "fix" does is allow me to choose to "Continue at my own risk".

    As long as you're sure you'll be prompted every time, more power to you.


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options
    Not feeling enough love to make one for Windows 10

    Monday, February 1, 2016 2:47 PM